Security Policy and Plan
Last Revised: 03 Oct 2006
- General Information Protection Policy
- General Information Handling
- System Controls
- Electronic Mail
- Anti-Virus Software
- Installing Software and File Sharing
- Operating System Patches and Upgrades
The purpose of this policy is to establish management direction, procedures, and requirements to ensure the appropriate protection of Clayton State University (CSU) networks, computers, servers and information transmitted over both local and external networks.
This policy applies to all network users (faculty, students, employees, contractors, consultants, temporaries, and other personnel) at CSU, including those affiliated with third parties who access CSU computer networks. Throughout this policy, the word "user" will be used to collectively refer to all such individuals. The policy also applies to all computer and data communication systems owned by and/or administered by CSU and connected to the CSU LAN.
By use of the CSU network and provided user ids, all users are bound by the terms of this policy and it is the users’ responsibility to be familiar with the contents and updates to this policy.
Any policies in this document or updates, once approved by the President's Cabinet, will be applied retroactively as need be.
Best practices and user recommendations will appear as highlighted text. These contain explanations and plain English translations.
All information traveling over CSU computer networks that has not been specifically identified as the property of other parties will be treated as though it is a University System of Georgia (USG) business asset. It is the policy of CSU to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of any information. In addition, it is the policy of CSU to protect information belonging to third parties that has been entrusted to CSU in confidence.
The Vice President of OITS is responsible for establishing, maintaining, implementing, administering, and interpreting organization-wide information systems security policies, standards, guidelines, and procedures. While responsibility for information systems security on a day-to-day basis is every user’s duty, specific guidance, direction, and authority for information systems security is centralized for all of CSU and its subsidiaries in OITS. Accordingly, OITS will perform information systems risk assessments, prepare information systems security action plans, evaluate information security products, and perform other activities necessary to assure a secure information systems environment.
An Information Systems Security Committee will be established and chaired by the Vice President of the Office of Information Technology & Services (OITS) with representative from CSU's major departments. The committee will: (a) periodically review the status of CSU's computer and network security, (b) as needed, review and monitor remedial work related to computer and network security incidents, (c) recommend and review the results of major projects dealing with computer and network security, (d) recommend changes to information security policies, standards, guidelines, and procedures, and (e) perform other high-level information security management activities.
The Director of Networking and Enterprise Services in OITS is responsible for conducting investigations into any alleged computer or network security compromises, incidents, or problems. All security compromises or potential security compromises will be reported by Networking and Enterprise Services to the Vice President of OITS and the Director of Public Safety.
For machines not maintained by OITS, the individual System Administrators are responsible for acting as information systems security coordinators. These individuals are responsible for establishing appropriate user privileges, monitoring access control logs, and performing similar security actions for the systems they administer. They are also responsible for reporting all suspicious computer and network-security-related activities to email@example.com. Administrators also serve as local information security liaisons, implementing the requirements CSU's Information Systems Security Policies, Standards, Guidelines, and Procedures. Each CSU department with a Network Server must designate an individual to serve as a system security administrator.
System Administrators are responsible for ensuring that appropriate computer and communication system security measures are observed in their area. Besides funds and staff time needed to meet the requirements of these policies, System Administrators are also responsible for making sure that all users are aware of CSU policies related to computer and communication system security.
Users are responsible for complying with this and all other CSU Computer and Acceptable Use Policies.
The University deals with various types of information which is protected under many Federal regulations. It is important that this information be carefully protected.
- Information should be stored on centralized institutional servers when at all possible instead of on desktop computers, laptops and portable media.
- Media containing sensitive information should be properly disposed of
- Paper documents and reports should be shredded.
- Removable magnetic and optical media should be erased and then physically damaged before disposal.
- Machines being relocated between offices or sent to surplus must be processed by Client Services, who will properly clean and/or dispose of the hard drive. For more information, see the Surplus Computer Policy.
User IDs and Passwords
- All computers permanently or intermittently connected to CSU networks or with access to sensitive information must have password access controls.
- Multi-user systems must employ user-IDs and passwords unique to each user, as well as user privilege restriction mechanisms.
You should never share your password with anyone. Nor should anyone allow someone else to use your ID and password. In many cases, log files are maintained and you are responsible for activity by your user account
- Network-connected single-user systems must employ hardware or software mechanisms that control system booting and that includes a no-activity screen saver that requires a password to reopen the screen. If the machine is left unattended by the person logged in, the screen must be locked before leaving. This is not a requirement for student machines but is recommended.
A user must be verified before they can gain access to the files on a machine. This means that they must login to the machine and not be able to bypass the login. Windows 95/98/ME should not be used.
- Computer and communication system access control must be achieved via passwords that are unique to each individual user. Access control to files, applications, databases, computers, networks, and other system resources via shared passwords or logins (also called "group passwords" or “group logins”) is prohibited.
Group passwords are any password and userid that is used by more than one person, such as 5 people logging into Banner using the same userid and password. Each person accessing a resource should have their own userid and password on that resource.
- Wherever systems software permits, the display and printing of passwords must be masked, suppressed, or otherwise obscured such that unauthorized parties will not be able to observe or subsequently recover them.
- Written passwords will not be stored in the proximity of the machine unless secured.
- Wherever systems software permits, the initial passwords issued to a new user by a security administrator must be valid only for the new user's first on-line session. At that time, the user must be forced to choose another password. This same process applies to the resetting of passwords in the event that a user forgets a password.
- All vendor-supplied default passwords must be changed before any computer or communications system is used for CSU business. This policy applies to passwords associated with end-user user-IDs, as well as passwords associated with systems administrator and other privileged user-IDs.
- To prevent “password guessing” attacks, where systems software permits, the number of consecutive attempts to enter an incorrect password must be strictly limited. If dial-up or other external network connections are involved, the session must be disconnected after the unsuccessful attempts.
- The computer and communications system privileges of all users, systems, and independently-operating programs (such as "agents") must be restricted based on the need-to-know. This means that privileges must not be extended unless a legitimate business-oriented need for such privileges exists. System Administrator or superuser privileges should only be extended to those persons who have the primary responsibility for that system.
- Users should not give out passwords to any other user, even if requested by a member of OITS. If a user needs help and a support person needs to login as that user, the password should be reset by OITS and then reset for the user once support is done.
- Employee logins are requested by Human Resources at the time of hire and are terminated when Human Resources notifies OITS the person is no longer employed. Accounts will not be created without Human Resources requesting them.
- Non-CSU employees will not be given network logins.
If you are using a contractor for web development, they will not be able to place the files on the web server. They must submit the files to the CSU user (floppy, e-mail, CD-ROM, etc...) and then the CSU user can place the files on the web server.
- Whenever system security has been compromised, or even if there is a convincing reason to believe that it has been compromised, the involved System Administrator must immediately: (a) reassign all relevant passwords, and (b) force every password on the involved system to be changed at the time of the next log-in.
If the system is hacked, then change the passwords to keep further damage from happening while investigating, but before reloading the system.
- After investigation of a compromised system, a trusted version of the operating system and all software must be reloaded from uncompromised storage media such as CD-ROMs, magnetic tapes, or original source code floppy disks. The involved system(s) must then be rebooted.
For further information about security incidents, refer to the Incident Response Document.
- To the extent that systems software permits, network servers and communications systems handling sensitive, valuable, or critical CSU information must securely log all significant security relevant events. Examples of security relevant events include: logons, logoffs, unsuccessful logon attempts, users switching user-IDs during an on-line session, attempts to guess passwords, attempts to use privileges that have not been authorized, modifications to production application software, modifications to system software, changes to user privileges, and changes to logging subsystems.
- Logs containing computer or communications system security relevant events must be retained for at least three (3) months. During this period, logs must be secured such that they cannot be modified, and such that they can be read only by authorized persons. These logs are important for error correction, security breach recovery, investigations, and related efforts.
- To provide evidence for investigation, prosecution, and disciplinary actions, certain information must be captured whenever it is suspected that computer or network related crime or abuse has taken place. The relevant information must be securely stored off-line until such time as it is determined that CSU will not pursue legal action or otherwise use the information. The information to be immediately collected includes the system logs, application audit trails, other indications of the current system states, as well as copies of all potentially involved files.
- To allow proper remedial action to be taken in a timely manner, records reflecting security relevant events must be reviewed in a timely manner by server administrators.
- If users employ systems facilities which allow them to change the active user-ID to gain certain privileges, they must have initially logged-in employing a user-ID that clearly indicates their identity. On UNIX systems, this means that users must be prevented from initially logging-in as "root," but must instead first login employing their own user-ID. If such users have been granted the ability to achieve superuser privileges, they may then "set userid" ("su") to gain "root" access. Whatever the operating system, logs must record all such changes of current user-IDs.
- Users must be put on notice about the specific acts that constitute computer and network security violations. Users must also be informed that such violations will be logged.
- Network-connected workstations providing remote network access are forbidden because they do not provide adequate security. This includes setting up office or departmental modems or Virtual Private Network (VPN) servers to gain access to the campus network. The only remote access methods authorized are via the OITS supplied VPN and dial-up connections. These services are not authorized to run on user workstations.
- Do not attach a modem to a CSU machine and use it to provide dial-in/remote access to the campus network. This includes applications such as PC Anywhere and Carbon Copy. Don’t setup your machine as a VPN server – use what we provide instead. You can’t use your CSU machine as your Internet Service Provider (ISP).
- Connections to CSU systems from outside of the CSU internal network must be done via VPN or other such technology provided by CSU to verify user identity and provide a secure communication channel over an unknown network.
To access our internal servers remotely, you need to use VPN so we know who you are.
- The log-in process for network-connected CSU computer systems must simply ask the user to log-in, providing prompts as needed. Specific information about the organization, the computer operating system, the network configuration, or other internal matters must not be provided until a user has successfully provided both a valid user-ID and a valid password.
Do not give out any information that isn’t necessary for service or login.
- Third party vendors must NOT be given remote privileges or access to CSU computers and/or networks unless the Vice President of OITS determines that they have a bona fide need. These privileges must be enabled only for the time period required to accomplish the approved tasks (such as remote maintenance). If a perpetual or long-term connection is required, then the connection must be established by approved extended user authentication methods (hand-held tokens, software-based challenge/response process, etc.).
- Users must NOT establish local area networks, connections to existing local area networks, or other multi-user systems for communicating information without the specific approval of the Vice President of OITS. Likewise, new types of real-time connections between two or more in-house computer systems must not be established unless such approval has first been obtained. This policy helps to ensure that all CSU systems have the controls needed to protect other network-connected systems. Security requirements for a network-connected system are not just a function of the connected system; they are also a function of all other CSU connected systems.
- Any computer that is made a member of a CSU domain must preserve full control for the domain admins.
- Information relating to the setup of CSU networks, user ids, etc. should only be available to authenticated users.
By keeping this information restricted, however simple the information may seem, it is one more item a potential cracker will need to learn on their own.
- Any network servers setup by users outside of OITS Telecommunications and Networking must first be approved by the Vice President of OITS.
- Telecommunications and Networking must be provided with both a normal user login, and a separate administrative account. This access is provided in case OITS has determined this machine to be causing problems on the CSU network and needs to be shutdown by OITS. These accounts must be provided to OITS within 48 hours of placing the machine online. On Windows systems, the administrative account should be a member of the local Administrators group. On a Unix machine, the account should have a userid of 0. Regardless of OS, the normal user account will be named cts and the administrative account ctsadmin.
- ITS will not manage these servers.
- Departments will be responsible for performing all backups according to the University's Backup Policies.
- Departmental Servers will be firewalled.
- Departmental Servers will be dedicated to single functions.
- Departmental Servers, along with ITS Servers will be scanned for vulnerabilities on a regular basis.
- ITS will only allow traffic for the ports and services we have been notified are running on the server.
Enterprise Level Servers
This section relates to servers that are critical to the continual business function of CSU. These are servers which provide critical enterprise level services or deal with any of the university's finances.
- The servers will be located in a limited-access secured area.
- Access to resources will require a password protected login and should be restricted to authorized personnel only.
- Server location shall contain fire, water and physical intrusion detection which alerts needed personnel.
- Systems will be placed on an Uninterruptible Power Supply (UPS).
- Enterprise Servers will be firewalled.
- Enterprise Servers will be dedicated to single functions.
- Wherever possible, encrypted communications and storage should be used.
- Servers will be cataloged by OITS for reporting and auditing purposes.
- A list of system interdependencies will be provided for the server showing what services the server relies on, and what services rely on the server.
E-mail is one of the most important information technologies. Consequently, it requires a section of it's own.
- OITS maintains the campus e-mail gateway. All e-mail entering and leaving campus must go through the University Email Gateway to ensure that all e-mail is properly scanned for virus and malware.
- Sensitive data should not be sent off campus via e-mail unless required. In doing so, the information should be sent in a method to protect the data from interception, such as encryption. You shouldn't write anything in e-mail that you would not want to send on a postcard through the mail..
- E-mail stored on campus equipment is property of the University.
While the University tries to protect e-mail from unauthorized access, it is state property. Do not send anything via email that is private or personal.
Firewalls are necessary to protect computers and networks from network based attacks. Firewalls work by blockingsoftware ports from unnecessary traffic and letting only legitimate selective traffic through.
- OITS maintains two types of firewalls. The External Internet Firewall protects the
CSU Network from external attacks from the Internet. The Internal Firewall protects
switches and campus computers from attacks from internal threats.
- CSU's Firewalls are configured to allow the University to operate the systems it needs for teaching, learning, exploration, and ecommerce while at the same time keeping the University secure from attacks.
- Exceptions to the firewall rules will be handled on a case-by-case basis by Telecommunications and Networking. If a rule is changed, it will be done so in such a way as to allow the bare minimum of traffic to accommodate the needed change.
- Students, faculty, and staff are responsible for running personal firewalls on all laptop and desktop computers. Windows XP has a built-in firewall that will protect the machine when it is off the CSU network and exposed to attacks from home and other locations.
- The Windows XP Firewall should be turned on all of the time.
- Departmental Servers must be firewalled.
- All users must keep OITS approved anti-virus screening software enabled on their computers
with up-to-date virus pattern recognition files. This screening software must be used
to scan all software coming from either third parties or other CSU departments, and
the scanning must take place before the new software is executed. Users may not bypass
scanning processes that could arrest the transmission of computer viruses. CSU has
a site license for antivirus software from F-Secure. You must have F-Secure and BackWeb
running all of the time on all of your machines.
- Although users are responsible for eradicating viruses from their systems whenever they have been detected, the Hub must be notified immediately at 678-466-4357 whenever a system has been infected. This is so that the Help Desk can ensure that no other infections takes place and that experts needed to eradicate the virus are promptly engaged.
Software obtained from the Internet is often infected with viruses, worms, adware, and spyware which can wipe out the contents of your hard disk or take control of your computer and attack other computers in your office.
Unrestricted File Sharing permits anyone on the Internet to store files on your hard disk.
- Software that is not necessary for your job and is not approved by your Department Head should not be installed onto University computers. TheHub@mail.clayton.edu or (678) 466-HELP (4357) can assist in locating software to help with your specific needs.
- Unrestricted File Sharing Software should not be installed onto University systems. Unrestricted File Sharing permits anyone on the Internet to store files on your hard disk which can wipe out the contents of your hard disk or take control of your computer and attack other computers in your office and on campus.
OPERATING SYSTEM PATCHES AND UPGRADES
- Users are responsible for keeping their machines patched with the latest operating system patches and upgrades.
- Windows machines should have Automatic Updates Enabled (Control Panel --> Automatic Updates) to ensure that patches and updates are installed in a timely fashion.
- Every semester, users should evaluate the configuration of their computers with a security analyzer to detect and fix security vulnerabilities.
- Microsoft's Baseline Security Analyzer should be used to evaluate Windows machines. Telecommunications and Networking may be contacted for security analyzers for UNIX and other operating systems.
- To protect CSU's information resources from loss or damage, microcomputer users are responsible for backing up important information on their hard disks.
- For Departmental Servers and multiuser systems, the Departmental Administrator is responsible for making periodic backups to off-line media.
- All sensitive, valuable, or critical information resident on CSU computer systems
and networks must be periodically backed-up. Department Heads must define what information
and which machines are to be backed-up, the frequency of back-up, and the method of
back-up based on the following guidelines:
- If the system supports more than one individual and contains data that is critical to the day-to-day operation within CSU, then back up is required daily.
- f the system is used to support job related functions and contains key data critical to the day-to-day operation of that job, then the key data will be backed up weekly/
- If the system is primarily used as a personal productivity tool and contains no data that would be classified as job or departmental in nature, then back ups should be made monthly.
- Departmental and Enterprise Systems for mission critical CSU systems must be backed
up to daily tapes which are to be retained and stored according to the following schedule:
- Daily tapes should be stored in a secure fire-proof location in another campus building and kept for a week.
- Friday and monthly daily tapes should be taken to an off-campus safe deposit box and kept for a month.
- Last day of the month daily tapes should be kept in an off-campus safe deposit box for a year.
- Yearly daily tapes should be kept in an off-campus safe deposit box for two years.
- File and system restoration should be tested regularly to ensure that backup media and systems are working properly.
- To prevent information from being revealed to or used by unauthorized parties, all CSU "restricted" or "confidential" information stored on back-up computer media (magnetic tapes, floppy disks, optical disks, etc.) should be encrypted using approved encrypting methods when possible.
- Users in the possession of portable, laptop/notebook, palmtop, and other transportable computers containing "restricted" or "confidential" CSU information must not leave these computers unattended at any time unless the information is stored in encrypted form
- Unless contractual agreements dictate otherwise, messages sent over CSU computer and communications systems are the property of CSU. This also extends to files stored on CSU networks and machines. To properly protect and manage this property, the University reserves the right to examine all data stored in or transmitted by these systems. Since the state of Georgia is an open records state, users should have no expectation of privacy associated with the information they store in or send through these systems.
- CSU does not provide default message protection services such as encryption. Accordingly, no responsibility is assumed for the disclosure of information sent over CSU's networks, and no assurances are made about the privacy of information handled by CSU internal networks. Nothing in this paragraph should be construed to imply that CSU policy does not support the controls dictated by agreements with third parties (such as organizations which have entrusted CSU with confidential information).
- Information about security measures for CSU computer and communication systems is confidential and should not be released to people who are not authorized users of the involved systems unless the permission of the Vice President of OITS has first been obtained.
- All CSU network equipment and servers must be physically secured with anti-theft devices if located in an open office environment. Additional physical access control should also be used for these devices. For example, local area network servers must be placed in locked cabinets, locked closets, or locked computer rooms.
- Access to systems development staff offices, telephone wiring closets, computer machine rooms, network switching rooms, and other work areas containing "restricted" or "confidential" information must be physically restricted.
- Users must not test, or attempt to compromise computer or communication system security measures unless specifically approved in advance and in writing by the System Administrator. Incidents involving unapproved system cracking, password cracking (guessing), file decryption, or similar unauthorized attempts to compromise security measures may be unlawful, and will be considered serious violations of CSU policy. User requests that CSU security mechanisms be compromised must NOT be satisfied unless: (a) the Vice President of OITS approves in advance, or (b) CSU is compelled to comply by law. Likewise, short-cuts bypassing systems security measures, as well as pranks and practical jokes involving the compromise of systems security measures are absolutely prohibited.
- If a machine is determined to be vulnerable to an attack, the machine administrator will be advised and given 2 business days from the time notification is sent to correct the problem. If the problem is not corrected, the machine will be removed from the network until the problem is corrected.
- If a machine is currently involved in an attack, the machine will be removed from the network without warning to protect the network.
- From time to time, the CSU network will be audited by OITS and the State System for compliance with this and other security policies and standards.
This may include checks on machines, automated vulnerability discovery, port scans, service discovery, etc.
- Payment systems that accept credit cards should transmit credit card numbers via encryption using Secure Sockets Layer (SSL) or Secure HTTP (HTTPS) web pages.
- Given the sensitivity of credit card information, credit card numbers should not be stored on University operated systems. The University System of Georgia has contracted with a TouchNet to provide secure credit card and electronic payment handling and processing for all Universities in the state. Administrative Systems should be contacted for more information on setting up web-web based credit card payment systems for departmental needs.
The Vice President of OITS acknowledges that under rare circumstances, certain users will need to employ systems that are not compliant with these policies. OITS must approve, in writing, all such instances in advance. A record log will be kept of the IP address and service location.
Users who willingly and deliberately violate this policy will be subject to disciplinary action and/or loss of network connectivity.